[68215] in North American Network Operators' Group
Re: One hint - how to detect invected machines _post morten_... Re: dealing with w32/bagle
daemon@ATHENA.MIT.EDU (James M. Kretchmar)
Fri Mar 5 13:22:45 2004
To: "Alexei Roudnev" <alex@relcom.net>
Cc: "Sam Stickland" <sam_ml@spacething.org>, nanog@merit.edu
In-Reply-To: Your message of "Fri, 05 Mar 2004 08:20:29 PST."
Date: Fri, 05 Mar 2004 13:22:03 -0500
From: "James M. Kretchmar" <kretch@MIT.EDU>
Errors-To: owner-nanog-outgoing@merit.edu
Also take a look at Neo at http://www.ktools.org/ which is scriptable
and does all the SNMP work behind the scenes for you. A beta of the
new 2.0 version (in Python) will be out within a week.
kretch
> Solution:
> - get all port statistics from switch (using SNMPGET and using simple
> 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands
> from shell file;
> - remove all ports with traffic less than some threshold;
> - calculate IN/OUT packets ratio for the rest of ports;
> - find ports, where IN/OUT ratio (IN - to switch) > 6;
> - in this ports, find ports with average packet size < 256 bytes;
>
> It shows all ports with infected notebooks (even if notebook was connected
> for a half of day).
>
> PS. Of course, after this few additional monitoring tools was installed, and
> we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it
> allows to see a traffic in real time, and analiz historical charts,
> including such things as packet size).
